Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module

From: Chris Wright (chrisw@private)
Date: Wed Jan 05 2005 - 21:26:29 PST

Previous message: Lorenzo Hernández García-Hierro: "[PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
In reply to: Lorenzo Hernández García-Hierro: "[PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Reply: Lorenzo Hernández García-Hierro: "Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

* Lorenzo Hernández García-Hierro (lorenzo@private) wrote:
> This patch adds support for an enhanced Trusted Path Execution (TPE)
> subsystem relying in the Linux Security Modules framework.
> It's a rewrite of the IBM's TPE LSM module by Niki A. Rahimi, which
> adds a couple of improvements and feature enhancements.

Thanks for taking interest and working on this.

> The most notable of them are support for per-gid basis access control
> lists in runtime and kernel-configuration time (adds support for trusted
> and untrusted user groups), procfs interface for statistics and runtime
> information and debugging capabilities (for limiting the garbage
> messages).

How does per-gid help in this case (esp. the desktop scenario you
mentioned)?  And the /proc/tpe file might as well go under sysfs with
the rest of the other entries instead of cluttering /proc.

> The reasons that give sense for including this, are that standard
> Vanilla kernels have SELinux and LSM (SELinux already supports TPE
> functionalities), but SELinux has less possibilities of being used by
> those desktop or just not experienced users who are not already using
> their distribution-specific SELinux implementation, even if they want
> simple protections for their every-day system use, also, the
> availability of some patch-sets with security enhancements (like
> grsecurity) distracts users of being using the LSM framework or even
> SELinux itself, in addition, this TPE has more features than
> grsecurity's one in terms of per-users and groups acl basis, which make
> easy the management of the TPE protection.
> In short, after a first review you can see that it could worthy to
> include this in the kernel sources.

The two biggest issues are 1) it's trivial to bypass:
$ /lib/ld.so /untrusted/path/to/program
and 2) that there's no (visible/vocal) user base calling for the feature.

So working those issues will help make a better case for mainline
inclusion.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Previous message: Lorenzo Hernández García-Hierro: "[PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
In reply to: Lorenzo Hernández García-Hierro: "[PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Reply: Lorenzo Hernández García-Hierro: "Re: [PATCH] Enhanced Trusted Path Execution (TPE) Linux Security Module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Jan 05 2005 - 21:26:56 PST